Query Details
Successful User Account Login
Query
Use Case: Identifying successful logon events within the last 7 days to monitor for unauthorized access.
Query:
WindowsEvent('Security', 7d)
| where tostring(EventId) == '4624'Explanation
The query is looking for successful logon events in the Windows Security log within the last 7 days. It filters the events to only include those with an EventId of 4624, which typically indicates a successful logon. This is done to monitor for any unauthorized access attempts.
Details
Ugur Koc
Released: February 4, 2024
Tables
Security
Keywords
WindowsEvent,Security,EventId
Operators
|wheretostring==